Not logged in.

Quick Search - Contribution

Contribution Details

Type	Conference or Workshop Paper
Scope	Discipline-based scholarship
Published in Proceedings	Yes
Title	An Exploratory Study on Regression Vulnerabilities
Organization Unit	Empirical Software Engineering (Alberto Bacchelli)
Authors	Larissa Braz Brasileiro Barbosa Enrico Fregnan Vivek Arora Alberto Bacchelli
Editors	Fernanda Madeiral Casper Lassenius Tayana Conte Tomi Männistö
Presentation Type	paper
Item Subtype	Original Work
Refereed	No
Status	Published in final form
Language	English
ISBN	9781450394277
Page Range	12 - 22
Event Title	ESEM '22: ACM / IEEE International Symposium on Empirical Software Engineering and Measurement
Event Type	conference
Event Location	Helsinki Finland
Event Start Date	October 19 - 2022
Event End Date	October 23 - 2022
Place of Publication	New York, NY, USA
Publisher	ACM
Abstract Text	Background: Security regressions are vulnerabilities introduced in a previously unaffected software system. They often happen as a result of code changes (e.g., a bug fix) and can have severe effects. Aims: We aim to increase the understanding of security regressions. Method: To this aim, we perform an exploratory, mixed-method case study of Mozilla. First, we analyze 78 regression vulnerabilities and 72 bug reports where a bug fix introduced a regression vulnerability at Mozilla. We investigate how developers interact in these bug reports, how they perform the changes, and under what conditions they introduce these regressions. Second, we conduct five semi-structured interviews with as many Mozilla developers involved in the vulnerability-inducing fixes. Results: Security is not discussed during bug fixes. Developers’ main concerns are the complexity of the bug at hand and the community pressure to fix it. Developers do not to worry about regression vulnerabilities and assume tools will detect them. Indeed, dynamic analysis tools helped finding around 30% of these regressions. Conclusions: Although tool support helps identify regression vulnerabilities, it may not be enough to ensure security during bug fixes. Furthermore, our results call for further work on the security tooling support and their integration during bug fixes.
Official URL	https://dl.acm.org/doi/10.1145/3544902.3546250
Digital Object Identifier	10.1145/3544902.3546250
Other Identification Number	merlin-id:23370
PDF File	Download from ZORA
Export	BibTeX EP3 XML (ZORA)